Presentation is loading. Please wait.

Presentation is loading. Please wait.

Changing How You Reverse Engineer

Published byEmery Stephens Modified over 6 years ago

Similar presentations

Presentation on theme: "Changing How You Reverse Engineer"— Presentation transcript:

1 Changing How You Reverse Engineer
Angel M. Villegas

2 Outline Background FIRST System Overview Server Framework
Client Components IDA Pro Integration Demo

3 The Problem Current reverse engineering process
Get a sample, analyze sample Get next sample, analyze sample Rinse and repeat… Analysis work can be duplicated For the analyst and others

4 What is FIRST FIRST: Function Identification and Recovery Signature Tool Streamlines code research prevents duplicate effort improves analysis time Flexible Modular framework made for expanding

5 System Overview ABI API IDA Plugin DB Manager REST API Framework
Server Plugin IDA Integrations Authentication REST API Engine Manager Web Site Engine Manager

6 Engine Manager Installed Engines Initialization DB Manager
Operational Engines DB Manager Initialization Scan ∀𝑥∈𝑂 Add Send Data to Each Engine Add Scan REST API Data Engine Manager

7 Engine Example class ExampleEngine(AbstractEngine): _name = 'ExampleEngineName' _description = 'Example Engine Description' _required_db_names = [] def _add(self, function): pass def scan(self, opcodes, architecture, apis): pass def intall(self): pass def uninstall(self): pass

8 DB Manager API FIRST DB DB Manager API DB Object API DB Object

9 Engine Example class ExampleDB(AbstractDB): _name = 'ExampleDBName’ def __init__(self): pass # Additional functions the class provides # def func1(self):

10 Authentication Beta makes use of Google OAuth2

11 The Data OpenSSL 7zip aPLib ucl LibreSSL 2.3.1 Mimikatz aPackage UPX
ClamWin Alina Spark Dexter Grum Pony Zeus HackingTeam RCS

12 Client Components Application Programming Interface
Application Binary Interface Integrations

13 Integration: IDA Pro: Plugin
Custom GUI Built-in Windows IDA Pro Main Thread Server IDB

14 Integration: IDA Pro: Installing
REQUIREMENTS pip install requests Python Requests Module OPTIONAL: Requests-kerberos (if kerberos authentication is required) GET THE PLUG-IN Download Python Plug-in from Copy plug-in to IDA Pro plug-ins folder Run IDA Pro

15 Integration: IDA Pro: Installing
Windows: Mac: pip install first-plugin-ida C:\Python27\Scripts\first-plugin-ida pip install first-plugin-ida /usr/local/bin/first-plugin-ida

16 Integration: IDA Pro: Configuration
OPTION 1 Enter configuration at the Welcome Screen (appears only when FIRST is not configured) OPTION 2 IDA Pro View Window Press ‘1’ IDA Pro’s menu Edit > Plugins > FIRST Select Configuration

17 Integration: IDA Pro: Operations
Right Click Menu Check [All] Add [Multiple] Update View History Other Operations Currently Applied Manage Added Annotations

18 Integration: IDA Pro: Check
Check for a single function or all at once Plug-in sends the server the opcodes, architecture, and APIs called by function

19 Integration: IDA Pro: Add
Adding a function or many at once Plug-in sends the server the opcodes, architecture, APIs called by function and metadata (function’s name, prototype, and repeatable comment)

20 Integration: IDA Pro: View History
Viewing Annotation History Right Click on function with metadata from FIRST to see its history Tracks metadata changes over time for each function for each user

21 Integration: IDA Pro: Managing
Deleting created annotations Right click metadata and select delete, or select the metadata and hit the delete key.

22 Integration: IDA Pro: Currently Applied
Viewing annotations applied Right click menu provides a way to view history or go to the function.

23 Integration: Hex Rays’ IDA Pro
FIRST Demo Integration: Hex Rays’ IDA Pro

24 Questions Register to use FIRST Get the code Read the docs
Submit issues: Register to use FIRST Read the docs

25 talosintel.com blogs.cisco.com/talos @talossecurity

Download ppt "Changing How You Reverse Engineer"

Similar presentations

MEDICAL SERVICES CORPORATION Recipients MSC MSC User will print forms from any Windows application to the Reform Print Driver A A B B Reform Print Driver.

MEDICAL SERVICES CORPORATION Recipients MSC MSC User will print forms from any Windows application to the Reform Print Driver A A B B Reform Print Driver.
A Toolbox for Blackboard Tim Roberts

A Toolbox for Blackboard Tim Roberts
Online School Registration System Solomon Ng Pei-Yu Wang Evan Chiu Curtis Wong.

Online School Registration System Solomon Ng Pei-Yu Wang Evan Chiu Curtis Wong.
Table of Contents Part B Managing Documents & References File organizer Citing references Creating bibliographies/Using MS Word Plugin Sharing documents.

Table of Contents Part B Managing Documents & References File organizer Citing references Creating bibliographies/Using MS Word Plugin Sharing documents.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Eclipse Introduction Dwight Deugo Nesa Matic

Eclipse Introduction Dwight Deugo Nesa Matic
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Hello Vaadin! CS 3130 Summer 2015.

Hello Vaadin! CS 3130 Summer 2015.
Federated Searching Pre-Conference Workshop - The federated searching cookbook Qin Zhu HP Labs Research Library February 18, 2007.

Federated Searching Pre-Conference Workshop - The federated searching cookbook Qin Zhu HP Labs Research Library February 18, 2007.
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.

Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
SubVersioN – the new Central Service at DESY by Marian Gawron.

SubVersioN – the new Central Service at DESY by Marian Gawron.
WaveMaker Visual AJAX Studio 4.0 Training Studio Overview.

WaveMaker Visual AJAX Studio 4.0 Training Studio Overview.
MagicInfo Pro Server Software All control, content, and scheduling is performed within the MagicInfo Pro Server software previously installed. Before.

MagicInfo Pro Server Software All control, content, and scheduling is performed within the MagicInfo Pro Server software previously installed. Before.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
Design for Senior Project December 05, 2007 Raytheon_Design_Review.ppt 1 of 19 Raytheon – Google Earth Roy Daniels, Marc Maciel, Rifina Pierre Department.

Design for Senior Project December 05, 2007 Raytheon_Design_Review.ppt 1 of 19 Raytheon – Google Earth Roy Daniels, Marc Maciel, Rifina Pierre Department.
Eclipse Overview Introduction to Web Programming Kirkwood Continuing Education Fred McClurg © Copyright 2015, Fred McClurg, All Rights Reserved.

Eclipse Overview Introduction to Web Programming Kirkwood Continuing Education Fred McClurg © Copyright 2015, Fred McClurg, All Rights Reserved.
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett 6.03.09 Revised for Firmware Update.

Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett Revised for Firmware Update.
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
Arc: AddIns Dr Andy Evans. Java Direct access to ArcObjects Framework inside and outside Arc. Ability to add components to the GUI. Ability to communicate.

Arc: AddIns Dr Andy Evans. Java Direct access to ArcObjects Framework inside and outside Arc. Ability to add components to the GUI. Ability to communicate.

Similar presentations

Ads by Google